Delivery-Date: Tue, 16 Sep 2014 12:21:34 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 64D5B1E0896;
	Tue, 16 Sep 2014 12:21:33 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5488525252;
	Tue, 16 Sep 2014 16:21:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 4C08525027
 for <tor-talk@lists.torproject.org>; Tue, 16 Sep 2014 16:21:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dlAzM-nEnzna for <tor-talk@lists.torproject.org>;
 Tue, 16 Sep 2014 16:21:27 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.201])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 2E5A324327
 for <tor-talk@lists.torproject.org>; Tue, 16 Sep 2014 16:21:27 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus002)
 with ESMTPSA (Nemesis) id 0MePHd-1XgoEG2vlf-00QCWZ for
 <tor-talk@lists.torproject.org>; Tue, 16 Sep 2014 18:21:23 +0200
Message-ID: <54186365.1010806@gmx.com>
Date: Tue, 16 Sep 2014 11:20:53 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <541739B5.4070103@gmx.com> <20140915224224.71bed7bf@meilong>
 <20140915211606.GB4565@torproject.org>
 <20140916051316.GO32100@patternsinthevoid.net>
In-Reply-To: <20140916051316.GO32100@patternsinthevoid.net>
X-Provags-ID: V03:K0:gF//LQJHbcvvc5xmGR2fCgZFlxFVl3uhaBTcHYz6R6q1NQdPiRf
 s+8XmzY7tjMICyA5LQfkQtGc1LkJ5wiwHHDGCBNLcQ30VKxJovzKmcWAGC4yyes+YNe4JYF
 kp06SDcsDd+PewaVB3iipJFzHcHTskNQ9JCaIxuqIVXx0Ttg9pV44lTyQpr7dmTvAFRnR4v
 aIg64DmxLTgi66m/EBXNA==
X-UI-Out-Filterresults: notjunk:1;
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] more sites requiring captchas from Cloudfare (using
 Google API?)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 9/16/2014 12:13 AM, isis wrote:
> +1 However, I don't know of a competitor to Cloudflare who privides 
> *free* (as in beer) (D)DoS-protection via reverse webproxies, not to 
> mention all the other bells and whistles which Cloudflare offers. 
> It'll be hard to make the argument to switch for user-privacy reasons, 
> given the seeming lack of marketed alternatives. Can anyone recommend 
> a comparable alternative to Cloudflare?
I know nothing about Cloudfare's "business model."  But, the old saying, 
"There's no such thing as a free lunch," is still true. Unless they're a 
philanthropic org., that gets all funding from donations & grants, they 
are making money somehow.  Leaving the most likely explanation for them 
providing a "free" service (similar to):  *Cloudfare makes money from 
user data on the site(s).*

They may / may not be able to get enough data from Tor users to make it 
worthwhile.  Thus, possibly the captchas for TBB, that often don't work, 
or requiring Tor users to repeat captchas, on the same site during SAME 
session.  Even when JS & cookies are enabled.

Cloudfare's captcha process could be buggy - accounting for some of the 
issues, but
(1)  They still can't operate w/o generating income.  They're not Santa 
Clause;
(2) Captchas don't seem to be presented to Firefox users (definitely not 
EVERY time, as with TBB).
(3) They're also requiring that scripts be allowed from Google.com. And 
Google is NOT a philanthropic organization.
(4) A fact that must be accepted is, a lot of people & malicious 
"groups" do use TBB for spamming & all sorts of undesirable things.  
Which sites must protect themselves against.
(5) Comments from Cloudfare's Nick Sullivan (or heads of any company or 
LEA) are basically worthless.  These people get paid to lie to protect 
their organization's interest.  They all *regularly lie* at 
Congressional hearings & in courts of law.  That's a fact. Sometimes 
they're caught telling bald faced lies, but usually nothing happens to 
them.

Now, if Cloudfare *changes* how their captchas work & stop requiring JS 
/ cookies from them & Google, that will actually mean something.  Until 
then, it's just a lot of hot air.
> I have considered starting an outreach effort to speak to the maintainers of
> some of these sites, with the idea that I might gather sympathy from certain
> communities who use Cloudflare.
>
> For example, as you mentioned, the Bitcoin community, which I have personally
> noticed while having discussions with some of the core bitcoin developers, who
> pointed me to various bits of Bitcoin documentation... which I was
> frustratingly unable to access due to an infinite CAPTCHA loop from
> Cloudflare. The core Bitcoin developers, from my experience, are all extremely
> well-informed about Tor and related privacy and security issues. I would guess
> that they are likely using Cloudflare primarily as a mechanism to decrease the
> attack surface of their sites, and probably are already aware (or would be
> upset to learn) that Cloudflare sometimes prevents Tor users from accessing
> the content entirely.
>
>
>> Has anyone else noticed Cloudflare captchas on sites that they would
>> otherwise expect to be run by Tor-friendly entities?
>>
> Here's the beginnings of your list. Others should feel free to amend.
>
> Possibly-Tor-sympathetic sites which use Cloudflare:
> ----------------------------------------------------
>   * [The Bitcoin Wiki](https://en.bitcoin.it)
>   * [Open Tech Fund](https://www.opentechfund.org/)
>
>
>
>

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

